{
    "slug": "defence_in_depth",
    "term": "Defence in Depth",
    "category": "general",
    "difficulty": "intermediate",
    "short": "Layering multiple independent security controls so that bypassing one does not compromise the whole system.",
    "long": "Defence in depth is a security principle borrowed from military strategy. No single control is assumed to be perfect — instead, multiple independent layers are applied so that an attacker must defeat all of them. Example: a web app uses prepared statements (layer 1) + WAF (layer 2) + least-privilege database user (layer 3) + monitoring (layer 4). If the WAF is misconfigured, the prepared statements still prevent SQL injection. Each layer should be independent — not relying on other layers having already validated input.",
    "aliases": [
        "layered defence",
        "defence in depth",
        "security layering"
    ],
    "tags": [
        "general",
        "security",
        "principles",
        "architecture"
    ],
    "misconception": "Defence in depth means redundant security controls doing the same thing. Layered defences address different attack vectors at different layers — a WAF, application-level input validation, parameterised queries, and least-privilege DB users each catch different attacks, not the same one repeatedly.",
    "why_it_matters": "Defence in depth layers multiple independent security controls — if one layer fails, others remain. A single vulnerability in one layer does not equal full compromise.",
    "common_mistakes": [
        "Relying solely on perimeter defences (firewall, WAF) and having no application-level controls.",
        "Security layers that are identical rather than independent — the same flaw defeats all layers.",
        "Not applying defence in depth to data access — assume SQL injection happens and encrypt sensitive columns.",
        "Treating defence in depth as checkbox compliance rather than genuine layering of independent controls."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "content_security_policy",
        "csrf",
        "owasp"
    ],
    "prerequisites": [
        "security_by_design",
        "principle_of_least_privilege",
        "input_validation"
    ],
    "refs": [
        "https://en.wikipedia.org/wiki/Defense_in_depth_(computing)"
    ],
    "bad_code": "// Single layer — WAF as the only defence:\n// WAF blocks known SQLi patterns\n// But uses string-concatenated queries directly\n// WAF bypass → direct database access\n// Better: WAF + parameterised queries + least-privilege DB user + encrypted columns",
    "good_code": "// Multiple independent layers — each one fails safely\n// Layer 1 — WAF blocks obvious attacks at CDN edge\n// Layer 2 — Rate limiting at load balancer\n// Layer 3 — Authentication middleware\n// Layer 4 — Authorisation check in controller\n// Layer 5 — Input validation in Form Request\n// Layer 6 — Prepared statements — SQL injection impossible even if validation bypassed\n// Layer 7 — Output encoding — XSS impossible even if data is tainted\n// Layer 8 — CSP headers — XSS payload can't exfiltrate even if rendered\n\n// In code — don't rely on a single guard:\npublic function update(Request \\$req, int \\$id): JsonResponse {\n    \\$req->validate(['name' => 'required|string|max:100']); // L5\n    \\$user = User::findOrFail(\\$id);\n    if (\\$user->id !== auth()->id()) abort(403);             // L4\n    \\$user->update(['name' => \\$req->name]);                 // L6 (Eloquent uses PDO)\n    return response()->json(['name' => e(\\$user->name)]);   // L7\n}",
    "quick_fix": "Layer controls: validate input + use prepared statements + apply WAF + least-privilege DB user — no single control should be the only defence",
    "severity": "info",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/defence_in_depth",
        "html_url": "https://codeclaritylab.com/glossary/defence_in_depth",
        "json_url": "https://codeclaritylab.com/glossary/defence_in_depth.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Defence in Depth](https://codeclaritylab.com/glossary/defence_in_depth) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/defence_in_depth"
            }
        }
    }
}